News & Stories

Cybercriminals stole $400K via Apple Store’s third-party pickup

Ray Fernandez

Apr 25, 20246 min read

Cybercriminals stole $400K via Apple Store’s third-party pickup: Header image

If you’re thinking about buying an Apple product online through an unofficial sales channel that offers a discount, you might want to reconsider. 

On April 18, Black Hat revealed that cybercriminals are using stolen credit cards, creating fake secondhand online stores, and manipulating the Apple Store’s “Someone else will pick up these items” option to commit financial fraud. So far, the group has stolen just under half a million dollars ($400,000) in the past 2 years. 

E-commerce fraud is nothing new. In fact, these types of fraud are significant and becoming a global, multi-billion-dollar problem. These new e-commerce scams serve to highlight an ongoing cybersecurity issue.

Operation PoisonedApple: From credit card theft to Apple Store payment fraud 

At the 2024 annual hacking conference Black Hat Asia, researchers Gyuyeon Kim and Hyunho Cho from the Financial Security Institute presented a paper titled Operation PoisonedApple.  

The report reveals that a group of cybercriminals has been stealing credit card information online and breaching or impersonating secondhand online e-commerce sites from South Korea for the past 2 years.

The sophistication and technical skills of this group are advanced. They manage to insert phishing malware into known secondhand e-commerce sites or create fake ones and impersonate major credit card companies’ digital resources. 

How Operation PoisonedApple works:

  1. Bad actors steal credit card information through phishing malware e-commerce sites. 
  2. They promote Apple products for sale on secondhand e-commerce sites at moderate discounts. 
  3. When users buy these cheaper Apple products, the group uses the stolen credit card belonging to the first victim to buy the same product from the Apple Store for the second victim and pocket the money. 
  4.  By selecting the Apple Store option “Someone else will pick up these items,” the attackers avoid contact with Apple Stores. 

This scheme affects not only the users whose credit card information is stolen but also those buying Apple products at discounts, as well as the Apple Store itself. 

An image from the presentation of Operation PoisonedApple at Black Hat Asia 2024.
An image from the presentation of Operation PoisonedApple at Black Hat Asia 2024.

50 compromised e-commerce websites 

During their investigation, researchers from the Financial Security Institute discovered that the group now running Apple Store e-commerce fraud schemes used to be engaged in malware attacks. Motivated by monetary gain, they have pivoted to this financial scam in the past years.   

Researchers also analyzed 5,000 domains and found that this group had breached more than 50 legitimate online stores. 

“These threat groups employed various evasion strategies to prevent detection of their phishing pages by site administrators and users, using multiple vulnerabilities and tools,” researchers said at the presentation of the report. 

The ultimate objective: Financial gain 

To avoid raising suspicion, the group did not use high discounts when selling Apple technology. For example, 9to5mac reported that a new iPhone 15 that costs $800 might be listed for $700 on the secondhand market. This would drive interest in potential buyers while avoiding the appearance of a scam. 

The group impersonated or breached:

  • Metamask — decentralized crypto wallets — sites and apps 
  • Famous department stores in Korea
  • A duty-free shop phishing site 
  • A famous outlet brand in Korea
  • Malicious apps disguised as funeral notices

The main goal of these attacks was to steal credit card numbers and personal information to later carry out the final stages of the Apple Store fraud.

Who is EvilQueen?

Researchers attributed these attacks and frauds to a new group dubbed EvilQueen. When analyzing the code in these attacks and fake sites, researchers found that the group spoke Chinese. 

EvilQueen has been active since 2009 and has targeted victims in Korea, Taiwan, and China. However, experts warned that nothing is stopping this group or other groups from expanding their criminal campaign globally. 

The identified victims include 50 online stores, over 8,000 credit card holders, and data belonging to 5 million people. 

The paper also links this group to a February 2024 incident reported by The Korea Economic Daily. In this case, an office worker, Mr. Yoon, had his credit card physically stolen.

While working in his office, Mr. Yoon received an Apple notification informing him that he had spent $10,000 at an Apple Store. Mr. Yoon immediately looked for his wallet and discovered his card was missing. CCTV camera footage identified the thief as “a person wearing a black coat and a hat.”

Mr. Yoon reported the incident to the police, the credit card company, and Apple. According to the report, however, Apple refused to cooperate, citing internal regulations and hindering the investigation.

Researchers claim that Apple’s refusal to provide any information, citing internal policy, has already led to criticism internationally and in the United States. 

Abusing the Apple Store’s “Someone else will pick up these items” policy

In these attacks, criminals exploited the Apple Store’s “Someone else will pick up these items” option. 

In addition to shipping and normal pickup options, Apple customers have the option to select “Someone else will pick up these items” when buying online products through the Apple Store.

An image of an Apple Store pickup desk.
Apple Store is a trademark of Apple Inc.

According to Apple, all you need to do to use this option is select it when checking out and designate an alternate person who is permitted to pick up the items.

“If you have designated an alternative pickup person, they will need to bring the order number and their own valid government-issued photo ID,” Apple says. 

Apple Legal elaborates on the policy, stating that if users select in-store pickup, they may designate a third party to pick up their order. To do so, they must provide the name and email address of the third party. Apple’s legal team adds that certain products and payment methods are not eligible for in-store pickup by a third party.

None of these Apple policies act as security guardrails for the type of large-scale fraud that is developing in Asia.

Apple goes to town with megastore in South Korea

On April 9, 2022, Apple opened one of the largest Apple Stores in Asia, Apple Myeongdong, in South Korea. The store, located in the center of Seoul’s busy Myeong-dong shopping district, attracts a high volume of customers on a daily basis. 

An image of a massive Apple Store opening in Myeong-dong, South Korea.
Apple Myeongdong in Seoul, South Korea, one of the biggest Apple Stores in Asia. Apple Store is a trademark of Apple Inc.

“We are thrilled to deepen our relationship with our Korean customers with the opening of this special store in Myeongdong,” Deirdre O’Brien, Apple’s Senior Vice president of Retail and People, said at the opening.  

Apple proudly announced that the new store in South Korea had been fitted with a “newly dedicated Apple Pickup area, the first of its kind in Asia.” 

The state of global e-commerce fraud

This new criminal enterprise targeting Apple users is, as mentioned, part of a rising global trend of e-commerce fraud.

While in the past, users have individually complained about stolen credit cards used in the Apple Store through posts on Reddit and posts on Apple Community forums, this new investigation is the first to uncover a large criminal operation taking this brand of fraud to the next level — stealing $400,000 so far.

Waves of global e-commerce fraud are generating billions of dollars in losses. Statistica found that global e-commerce fraud reached $17.5 billion in 2020 and was expected to peak at $48 billion in 2023. A Cybersource report adds that 60% of merchants surveyed say they experienced an increase in misuse over the past 12 months.

Tips for staying safe from e-commerce fraud

This report highlights a sophisticated e-commerce scam targeting Apple users. Overall, while the “Someone else will pick up these items” option offers convenience, it can be exploited by criminals.

Here’s how to stay safe from this scam:

  • Beware of discounted Apple products: If a deal on a secondhand site seems too good to be true, it probably is. Stick to reputable retailers when shopping for Apple products.
  • Verify seller legitimacy: Research the seller before buying. Look for reviews and check their website for secure payment options.
  • Avoid using alternate pickup for online orders: When buying online from Apple, consider secure delivery options instead of the “Someone else will pick up these items” option.
  • Monitor your accounts: Regularly review your credit card statements and Apple purchase history for suspicious activity.
  • Report fraud immediately: If you suspect fraud, contact your bank and Apple right away.

By following these tips, you can minimize your risk of falling victim to similar scams and protect your hard-earned money.

Remember, e-commerce fraud is not expected to slow down. Rather, experts agree that it will increase. While we wait for Apple to take action to prevent attacks like these from happening, it is your responsibility to make sure you don’t fall victim to these scams. 

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. Apple Store is a trademark of Apple Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.